Re: AuthenticationMethods in sshd_config accepting empty method list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, Jun 19, 2014 at 02:56:49PM +0200, mvadkert wrote:
> Hi everyone,
> 
> I just came across a contradiction between the man page of AuthenticationMethods and the accepted
> methods list.
> 
> According to the sshd_config manual page:
> """
> AuthenticationMethods
> 
> Specifies the authentication methods that must be successfully completed for a user to be granted
> access. This option must be followed by one or more comma-separated lists of authentication method
> names. Successful authentication requires completion of every method in at least one of these lists.
> """"
> 
> But in reality the also an empty list is accepted by sshd (servconf.c:1605).
> 
> What is the reason to accept an empty method list? Does the man page need an update?
> 

Hi,

I believe that this is a bug in the parsing code which doesn't handle empty list correctly. The following patch
fixes it.

--- a/servconf.c
+++ b/servconf.c
@@ -1630,6 +1630,8 @@ process_server_config_line(ServerOptions *options, char *line,
                break;
 
        case sAuthenticationMethods:
+               if (cp == NULL || *cp == '\0')
+                       fatal("%.200s line %d: Missing argument.", filename, linenum);
                if (*activep && options->num_auth_methods == 0) {
                        while ((arg = strdelim(&cp)) && *arg != '\0') {
                                if (options->num_auth_methods >=


-- 
Petr Lautrbach
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux